Senior / Staff DevSecOps Engineer

At Twenty, we're taking on one of the most critical challenges of our time: defending democracies in the digital age. We develop revolutionary technologies that operate at the intersection of the cyber and electromagnetic domains, where the speed of operations exceeds human sensing and complexity transcends conventional boundaries. Our team doesn't just solve problems – we deliver game-changing outcomes that directly impact national security. We're pragmatic optimists who understand that while our mission of protecting America and its allies is challenging, success is possible.

You'll build and own the security infrastructure that keeps Twenty's engineering systems safe without slowing engineers down. This role spans runtime security, access control, secrets management, compliance, and CI/CD hardening — but it's equally about making security the path of least resistance. You'll embed with our engineering teams, design secure-by-default foundations, and build the tooling and automation that lets developers move fast without cutting corners. You'll report directly to the VP of Engineering and operate as a shared function across our product teams.

• You believe security should be a force multiplier for engineering, not a gatekeeper.

• You take ownership end-to-end: from identifying a risk to designing the control to shipping the fix.

• You bring high judgment to tradeoffs — you know when to enforce hard controls and when friction kills adoption.

• You communicate clearly with both engineers and non-technical stakeholders, and you translate risk into plain language.

• You prefer automation over policy: if an engineer has to do something manually to stay secure, you see that as a bug.

• You hold a high bar for reliability and auditability in the systems you build.

• You're self-directed and thrive in an environment where the function is new and you're defining it.

• Own runtime security and vulnerability management across cloud and container environments, including triage, prioritization, and remediation tracking.

• Design and enforce identity and access management (IAM) across AWS and internal systems — least-privilege by default.

• Own secrets and credentials management: policies, tooling, rotation, and developer workflows that make doing the right thing easy.

• Lead security incident response: detection, containment, root cause analysis, and durable remediation.

• Manage AWS Organization structure, account boundaries, SCPs, and guardrails.

• Harden and maintain CI/CD pipelines, embedding security scanning and policy enforcement into the software delivery lifecycle.

• Drive compliance efforts — own the evidence, controls, and remediation work to meet and maintain relevant frameworks.

• Build and maintain secure-by-default templates for repos, pipelines, and infrastructure modules.

• Reduce friction through automation: certificate issuance, secrets access, policy-as-code, and developer-facing tooling.

• Produce lightweight, practical security guidance that engineers actually use.

• Shape the direction of the DSO function as it scales, and contribute to hiring and team-building as we grow.

• 8+ years in DevSecOps, platform security, or a closely related security engineering role.

• Deep hands-on experience with AWS — IAM, SCPs, Organizations, security services (GuardDuty, Security Hub, CloudTrail, etc.).

• Strong IaC experience with Terraform; you've used it to enforce security controls, not just provision infrastructure — and you've layered in policy-as-code tooling (e.g., OPA, Checkov, tfsec) or continuous compliance checks (e.g., AWS Config Rules) to catch drift and misconfigurations.

• Experience owning secrets management end-to-end in a production engineering environment.

• Proven track record designing and hardening CI/CD pipelines (we use GitHub Actions).

• Hands-on experience with container security, including image scanning and runtime controls.

• Experience leading or meaningfully contributing to a compliance program; CMMC Level 2 (or NIST SP 800-171) experience strongly preferred.

• You've run incident response — you've been on call, you've led the post-mortem, and you've shipped the fix.

• Strong communication skills and the ability to drive security adoption through enablement, not mandates.

• Experience growing a DSO or security engineering function — expanding scope, tooling, and team.

• Familiarity with observability tooling and using it for security signal (we use the LGTM stack).

• Background in configuration management tooling (Ansible or similar).

• Experience with developer-facing security platforms or internal tooling that improved engineering workflows.

• Interest in growing into a lead or manager role as the team scales.

• Cloud: AWS (primary), Terraform for IaC, Ansible for configuration management

• Containers: Docker, Docker Compose

• CI/CD: GitHub Actions

• Vulnerability scanning: Trivy

• Observability: Grafana, Loki, Tempo, Mimir (LGTM stack)

• Alerting / on-call: PagerDuty

• Languages in use across engineering: Go, TypeScript/Node, React, Python

This role requires eligibility to obtain and maintain a U.S. Government security clearance. This role may involve work in a controlled environment.

If this role sounds like you, apply and share with us your interest.

Some positions may require eligibility to obtain a U.S. Government security clearance. Any clearance requirement will be listed in the role description.

Twenty is an equal opportunity employer. We consider all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability, or any other protected status.

If you need a reasonable accommodation during the hiring process, let us know and we will work with you.